Some HTML elements, such as `<title>` and `<textarea>`, can contain literal angle brackets without treating them as markup. It is possible to pass a literal closing tag to `.innerHTML` on these elements, and subsequent content after that will be parsed as if it were outside the tag. This can lead to XSS if a site does not filter user input as strictly for these elements as it does for other elements. External Reference: https://www.mozilla.org/en-US/security/advisories/mfsa2019-27/#CVE-2019-11744
Acknowledgments: Name: the Mozilla project Upstream: Rakesh Mane
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2663 https://access.redhat.com/errata/RHSA-2019:2663
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11744
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:2694 https://access.redhat.com/errata/RHSA-2019:2694
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2729 https://access.redhat.com/errata/RHSA-2019:2729
Statement: In general, this flaw cannot be exploited through email in Thunderbird because scripting is disabled when reading mail, but it may present a risk in browser-like contexts.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2774 https://access.redhat.com/errata/RHSA-2019:2774
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2773 https://access.redhat.com/errata/RHSA-2019:2773
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:2807 https://access.redhat.com/errata/RHSA-2019:2807